Hi, I installed the shorewall 1.3.8-2 debian package to my debian testing machine which serves as the gateway to the internet. Since I have two other machine connect to internet thru this gateway machine, I also downloaded the configuration guide for "basic two-interface firewall" and followed the instructions. When I try to start the shorewall I get the following message and can not start it: ==============================================Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy REJECT for fw to net using chain all2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: Cannot send dump request: Connection refused Terminated =========================================================When I follow the tracing instruction, I get the following # tail /tmp/trace ++ ''['' -f /etc/shorewall/stopped '']'' ++ logger ''Shorewall Stopped'' ++ rm -rf /tmp/shorewall-31374 ++ my_mutex_off ++ ''['' -n Yes '']'' ++ mutex_off ++ rm -f /var/lib/shorewall/lock ++ have_mutex++ kill 31374 ++ exit 2 - I have all the mensioned modules loaded. Ay help will be appreciated. Thanks.
Suren wrote:> Hi, > > I installed the shorewall 1.3.8-2 debian package to my debian testing > machine which serves as the gateway to the internet. Since I have two > other machine connect to internet thru this gateway machine, I also > downloaded the configuration guide for "basic two-interface firewall" > and > followed the instructions. When I try to start the shorewall I get the > following message and can not start it: > ==============================================> Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Local Zone: eth1:0.0.0.0/0 > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP > Enabling RFC1918 Filtering > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT fw net tcp 53" added. > Rule "ACCEPT fw net udp 53" added. > Rule "ACCEPT loc fw tcp 22" added. > Setting up ICMP Echo handling... > Processing /etc/shorewall/policy... > Policy REJECT for fw to net using chain all2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Masqueraded Subnets and Hosts: > Cannot send dump request: Connection refused > Terminated > =========================================================> When I follow the tracing instruction, I get the following > > # tail /tmp/trace > ++ ''['' -f /etc/shorewall/stopped '']'' > ++ logger ''Shorewall Stopped'' > ++ rm -rf /tmp/shorewall-31374 > ++ my_mutex_off > ++ ''['' -n Yes '']'' > ++ mutex_off > ++ rm -f /var/lib/shorewall/lock > ++ have_mutex> ++ kill 31374 > ++ exit 2 > > - I have all the mensioned modules loaded. Ay help will be > appreciated.When a start error occurs, shorewall goes into a stopped state -- you have just given us the last few commands involved in stopping shorewall (in other words, totally worthless in discovering what your problem really is) Please "less /tmp/trace" and search for "Connection refused" -- the commands leading up to that error message is where the problem is. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, Thanks for the quick response. Here is some portion of the trace file just before the "Connection refused". I hope I included the right parts. Thanks again. .... + policy_rules loc2net ACCEPT + local target=ACCEPT + ''['' 2 -eq 3 '']'' + ''['' -n ACCEPT '']'' + run_iptables -A loc2net -j ACCEPT ++ echo -A loc2net -j ACCEPT ++ sed ''s/!/! /g'' + iptables -A loc2net -j ACCEPT + echo '' Policy ACCEPT for loc to net using chain loc2net'' + return + chain=loc2loc + havechain loc2loc + eval test ''"$loc2loc_exists"'' = Yes ++ test '''' = Yes ++ find_file masq ++ ''['' -n '''' -a -f /masq '']'' ++ echo /etc/shorewall/masq + masq=/etc/shorewall/masq + ''['' -f /etc/shorewall/masq '']'' + setup_masq /etc/shorewall/masq + strip_file masq /etc/shorewall/masq + local fname + ''['' 2 = 1 '']'' + fname=/etc/shorewall/masq + ''['' -f /etc/shorewall/masq '']'' + cut -d# -f1 /etc/shorewall/masq + grep -v ''^[[:space:]]*$'' + ''['' -n Yes '']'' + echo ''Masqueraded Subnets and Hosts:'' + read interface subnet address + expandv interface subnet address + local varval + ''['' 3 -gt 0 '']'' + eval ''varval=$interface'' ++ varval=eth0 + eval ''interface="eth0"'' ++ interface=eth0 + shift + ''['' 2 -gt 0 '']'' + eval ''varval=$subnet'' ++ varval=eth1 + eval ''subnet="eth1"'' ++ subnet=eth1 + shift + ''['' 1 -gt 0 '']'' + eval ''varval=$address'' ++ varval+ eval ''address=""'' ++ address+ shift + ''['' 0 -gt 0 '']'' + ''['' -n Yes '']'' + setup_one + local using + ''['' eth0 = eth0 '']'' + destnet=0.0.0.0/0 + list_search eth0 eth0 eth1 + local e=eth0 + ''['' 3 -gt 1 '']'' + shift + ''['' xeth0 = xeth0 '']'' + return 0 + ''['' eth1 = eth1 '']'' + nomasq++ masq_chain eth0 +++ chain_base eth0 +++ local c=eth0 +++ echo eth0 ++ echo eth0_masq + chain=eth0_masq + iface++ grep ''inet '' ++ run_ip addr show eth1 ++ ip addr show eth1 Cannot send dump request: Connection refused ++ ''['' -z '''' '']'' ++ stop_firewall ++ stopping=Yes ++ deletechain shorewall ....
Suren wrote:> Tom, > > Thanks for the quick response. Here is some portion of the trace file > just before the "Connection refused". I hope I included the right > parts. Thanks again. > ....> ++ ip addr show eth1 > Cannot send dump request: Connection refusedThis captures the problem -- the firewall script issued the command ''ip addr show eth1'' and there was an error. I have never seen that error message before -- if you type "ip addr show eth1" from the command line, do you get the same error message? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Yes I do get the same error from the command line. # ip addr show eth1 Cannot send dump request: Connection refused Anything I can do? Thanks.
Suren wrote:> Yes I do get the same error from the command line. > # ip addr show eth1 > Cannot send dump request: Connection refused > > Anything I can do?Is eth1 up? If not, then you need to observe the restrictions about the second column in /etc/shorewall/masq -- you cannot place an interface name there unless that interface will be up when Shorewall starts. If that''s not the problem then you probably have a kernel configuration problem (see http://www.shorewall.net/kernel.htm) or something is wrong with your iproute installation. Do you see an error if you "ip addr show"? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
The eth1 is up.
#ifconfig
eth1 Link encap:Ethernet HWaddr 00:50:BA:44:41:70
inet addr:192.168.0.1 Bcast:192.168.0.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66735087 errors:2 dropped:0 overruns:0 frame:0
TX packets:64204385 errors:0 dropped:0 overruns:0 carrier:0
collisions:15054 txqueuelen:100
RX bytes:59657518 (56.8 MiB) TX bytes:1984269079 (1.8 GiB)
Interrupt:11 Base address:0xbf00
I am writing this email from the client machine which connect to a
small hub and gateway machine''s eth1 is connected to the hub also.
Doing the "ip addr show", I do get the same error.
# ip addr show
Cannot send dump request: Connection refused
Currently I am running the firewall that is setup by gShield. Would
this be something causing for connection refusal. Let me try (stopping
gShield - flushing all rulsets)... did not help, same results.
I am puzzled.
Thanks.
Suren wrote:> The eth1 is up. > #ifconfig > eth1 Link encap:Ethernet HWaddr 00:50:BA:44:41:70 > inet addr:192.168.0.1 Bcast:192.168.0.255 > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:66735087 errors:2 dropped:0 overruns:0 frame:0 > TX packets:64204385 errors:0 dropped:0 overruns:0 carrier:0 > collisions:15054 txqueuelen:100 > RX bytes:59657518 (56.8 MiB) TX bytes:1984269079 (1.8 GiB) > Interrupt:11 Base address:0xbf00 > > I am writing this email from the client machine which connect to a > small hub and gateway machine''s eth1 is connected to the hub also. > > Doing the "ip addr show", I do get the same error. > # ip addr show > Cannot send dump request: Connection refused > > Currently I am running the firewall that is setup by gShield. Would > this be something causing for connection refusal. Let me try (stopping > gShield - flushing all rulsets)... did not help, same results. > > I am puzzled.So am I -- until you can get ''ip'' to work normally on your system, you will not be able to run Shorewall. -tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Suren wrote:> The eth1 is up. > #ifconfig > eth1 Link encap:Ethernet HWaddr 00:50:BA:44:41:70 > inet addr:192.168.0.1 Bcast:192.168.0.255 > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:66735087 errors:2 dropped:0 overruns:0 frame:0 > TX packets:64204385 errors:0 dropped:0 overruns:0 carrier:0 > collisions:15054 txqueuelen:100 > RX bytes:59657518 (56.8 MiB) TX bytes:1984269079 (1.8 GiB) > Interrupt:11 Base address:0xbf00 > > I am writing this email from the client machine which connect to a > small hub and gateway machine''s eth1 is connected to the hub also. > > Doing the "ip addr show", I do get the same error. > # ip addr show > Cannot send dump request: Connection refused > > Currently I am running the firewall that is setup by gShield. Would > this be something causing for connection refusal. Let me try (stopping > gShield - flushing all rulsets)... did not help, same results. > > I am puzzled.So are you saying that you are running some other firewall and you are trying to start Shorewall while the other firewall is started? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > So are you saying that you are running some other firewall and you are > trying to start Shorewall while the other firewall is started? >I''m going to go check in on the World Series game -- back in a while.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
No, I did stop the other firewall first which flushes all the rulesets and disables the firewall, and then I am trying to start the shorewall. I recently came across with shorewall when I was looking for a way to forward IPSEC stuff and dying to have it start so I can test the VPN connection. Thanks.
Suren wrote:> No, I did stop the other firewall first which flushes all the rulesets > and disables the firewall, and then I am trying to start the > shorewall. I recently came across with shorewall when I was looking > for a way to forward IPSEC stuff and dying to have it start so I can > test the VPN connection.So when you are in this state where the ip command won''t even work, what does "shorewall status" show you? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Suren wrote:> No, I did stop the other firewall first which flushes all the rulesets > and disables the firewall, and then I am trying to start the > shorewall.Are you sure? When you stop Shorewall, it does NOT flush all rulesets.> I recently came across with shorewall when I was looking > for a way to forward IPSEC stuff and dying to have it start so I can > test the VPN connection.To be able to run Shorewall, the most basic Linux networking utilities must run correctly. On your system, they do not. Until these utilities are able to run correctly on your system, there is no chance that you will be able to start Shorewall. If there are so-called "Firewall" packages on your system that disable these basic utilities, then those packages are badly broken and should be removed. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I meant the other firewall called "gShield". When I stopped it, it flushes all the rulesets (message to the console and log files). I agree that I need to solve the problem with the "ip addr show". I test this command in my other debian testing installed client machine, and it works fine there. I wonder what package this "ip" utility comes with so I can reinstall it. I don''t know what else to try at this point other then possibly posting to the debian user group. Please let me know if you have any suggestions to try. Thanks.
Suren wrote:> I meant the other firewall called "gShield". When I stopped it, it > flushes all the rulesets (message to the console and log files). > > I agree that I need to solve the problem with the "ip addr show". I > test this command in my other debian testing installed client machine, > and it works fine there. I wonder what package this "ip" utility comes > with so I can reinstall it.It is from the ''iproute'' package.> I don''t know what else to try at this > point other then possibly posting to the debian user group. > > Please let me know if you have any suggestions to try. Thanks.I don''t -- on my Debian test system, ''ip'' works fine also. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Suren wrote:> I meant the other firewall called "gShield". When I stopped it, it > flushes all the rulesets (message to the console and log files). > > I agree that I need to solve the problem with the "ip addr show". I > test this command in my other debian testing installed client machine, > and it works fine there. I wonder what package this "ip" utility comes > with so I can reinstall it. I don''t know what else to try at this > point other then possibly posting to the debian user group. > > Please let me know if you have any suggestions to try. Thanks.You might try ''strace ip addr show''. If you get the diagnostic "-bash: strace: command not found" see if you can figure that one out yourself... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Here is the strace results:
execve("/bin/ip", ["ip", "addr",
"show"], [/* 21 vars */]) = 0
uname({sys="Linux", node="debian", ...}) = 0
brk(0) = 0x805dc64
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40013000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=45478, ...}) = 0
old_mmap(NULL, 45478, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000
close(3) = 0
open("/lib/libresolv.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\''\0"...,
1024) = 1024
fstat64(3, {st_mode=S_IFREG|0644, st_size=56448, ...}) = 0
old_mmap(NULL, 65252, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) 0x40020000
mprotect(0x4002d000, 12004, PROT_NONE) = 0
old_mmap(0x4002d000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED, 3, 0xd000) = 0x4002d000
old_mmap(0x4002e000, 7908, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4002e000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\204\221"...,
1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1145456, ...}) = 0
old_mmap(NULL, 1157888, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) 0x40030000
mprotect(0x40141000, 39680, PROT_NONE) = 0
old_mmap(0x40141000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED, 3, 0x111000) = 0x40141000
old_mmap(0x40147000, 15104, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40147000
close(3) = 0
munmap(0x40014000, 45478) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 3
bind(3, {sin_family=AF_NETLINK, {sa_family=16,
sa_data="\0\0\0\0\0\0\0\0\0\0\236\224\0@"}, 12) = 0
getsockname(3, {sin_family=AF_NETLINK, {sa_family=16,
sa_data="\261\307R\34\0\0\0\0\0\0\236\224\0@"}, [12]) = 0
time(NULL) = 1035347195
sendto(3, "\24\0\0\0\22\0\1\3\374$\266=\0\0\0\0\0\0\0\0", 20, 0,
{sin_family=AF_NETLINK, {sa_family=16,
sa_data="\0\0\0\0\0\0\0\0\0\0\24\0\0\0"}, 12) = -1 ECONNREFUSED
(Connection refused)
dup(2) = 4
fcntl64(4, F_GETFL) = 0x8001 (flags
O_WRONLY|O_LARGEFILE)
close(4) = 0
write(2, "Cannot send dump request: Connec"..., 45Cannot send dump
request: Connection refused
) = 45
_exit(1) = ?
On Tue, 22 Oct 2002, Tom Eastep wrote:> > > Suren wrote: > > Tom, > > > > Thanks for the quick response. Here is some portion of the trace file > > just before the "Connection refused". I hope I included the right > > parts. Thanks again. > > .... > > > ++ ip addr show eth1 > > Cannot send dump request: Connection refused > > This captures the problem -- the firewall script issued the command ''ip > addr show eth1'' and there was an error. > > I have never seen that error message before -- if you type "ip addr show > eth1" from the command line, do you get the same error message? >Google is your friend. :-)>From http://snafu.freedom.org/linux2.2/docs/ip-cref/ip-cref.html.2. RTNETLINK is not configured in the kernel. In this case one of the following messages may be printed, depending on the command: Cannot talk to rtnetlink: Connection refused Cannot send dump request: Connection refused Is RTNETLINK compiled into your kernel?
Suren wrote: socket(PF_NETLINK, SOCK_RAW, 0) = 3> bind(3, {sin_family=AF_NETLINK, {sa_family=16, > sa_data="\0\0\0\0\0\0\0\0\0\0\236\224\0@"}, 12) = 0 > getsockname(3, {sin_family=AF_NETLINK, {sa_family=16, > sa_data="\261\307R\34\0\0\0\0\0\0\236\224\0@"}, [12]) = 0 > time(NULL) = 1035347195 > sendto(3, "\24\0\0\0\22\0\1\3\374$\266=\0\0\0\0\0\0\0\0", 20, 0, > {sin_family=AF_NETLINK, {sa_family=16, > sa_data="\0\0\0\0\0\0\0\0\0\0\24\0\0\0"}, 12) = -1 ECONNREFUSED > (Connection refused) > dup(2) = 4 > fcntl64(4, F_GETFL) = 0x8001 (flags > O_WRONLY|O_LARGEFILE) > close(4) = 0 > write(2, "Cannot send dump request: Connec"..., 45Cannot send dump > request: Connection refused > ) = 45 > _exit(1) = ? >Looks like there is something wrong with NETLINK support in your kernel. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
The v1.0-rc4 version of this single floppy, Shorewall based, router has been released. It includes the latest (1.3.9b) version of Shorewall. All the info are here: http://leaf.sourceforge.net/article.php?sid=61 Jacques
I have 2.4.9 kernel installed in this gateway machine and checking the config file, I see that the CONFIG_RTNETLINK is not set. I will recompile the kernel, possible 2.4.18, but interesting is in my client machine (ip addr show works perfectly) which is running with 2.4.18 kernel, checking the config file, I can NOT find RTNETLINK mentioned anywhere in the config file although .h and .c files are in the kernel source directory. Does this sound normal with "not having the CONFIG_RTNETLINK" in 2.4.9 based on the observation from the 2.4.18 kernel config? Thanks
Suren wrote:> I have 2.4.9 kernel installed in this gateway machine and checking the > config file, I see that the CONFIG_RTNETLINK is not set. I will > recompile the kernel, possible 2.4.18, but interesting is in my client > machine (ip addr show works perfectly) which is running with 2.4.18 kernel, checking the config file, > I can NOT find RTNETLINK mentioned anywhere in the config file > although .h and .c files are in the kernel source directory. > > Does this sound normal with "not having the CONFIG_RTNETLINK" in > 2.4.9 based on the observation from the 2.4.18 kernel config? >RTNETLINK was made a standard part of the kernel at around 2.4.16 as I recall. So in 2.4.9, you MUST set it and in 2.4.18 you get it whether you want it or not. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
After compiling the 2.4.18 kernel, he shorewall started successfully. Thanks.
Suren wrote:> After compiling the 2.4.18 kernel, he shorewall started successfully.Glad to hear it! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net